[Openid-specs-ab] Issue #863: Stateless Registration Discovery/Messages (openid/connect)

Salvatore D'Agostino sal at idmachines.com
Fri Jul 26 13:23:31 UTC 2013


+1

-----Original Message-----
From: John Bradley [mailto:issues-reply at bitbucket.org]
Sent: Thursday, July 25, 2013 9:41 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Issue #863: Stateless Registration 
Discovery/Messages (openid/connect)

New issue 863: Stateless Registration  Discovery/Messages 
https://bitbucket.org/openid/connect/issue/863/stateless-registration-discovery-messages

John Bradley:

OpenID Connect currently requires registration for clients.

Clients using a self issued IdP may register as part of the authorization 
request, by sending the "registration" parameter containing a JSON object, and 
using there redirect_uri as the client_id.

There is a desire by some IdP to allow clients that are not pre-registerd to 
access a minimal set of claims for a user.   This could be done with the 
existing method by using the existing "registration" parameter to signal that 
the has not pre registered.

Almost everything needed for this is in the current spec.
The needed additions would be an indication in Discovery that the 
Authorization server supports this, and something in messages saying that if 
the client is not pre-registerd it MUST send the "registration" parameter with 
at-least {} as the contents if no other parameters are needed.

The AS would formulate a normal response verifying the client_id and the 
redirect_uri match as is specified for the self_issued AS, then issue a normal 
code or implicit response.

This would allow a IdP to return the "sub" claim to a client for SSO only 
without any real security concerns as the Audience prevents replaying across 
clients, and nonce if used (I think should be recommended) prevents replay 
across browsers.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6085 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130726/c6426d07/attachment.bin>


More information about the Openid-specs-ab mailing list